[Discuss] free SSL certs from the EFF

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Derek Atkins [mailto:warlord at MIT.EDU]
> 
> And you've already violated rule #1: You must trust your resolver.

That's the point we've been talking about.  I forget who said in this thread, that DNSSEC only provides security up to the last hop, not including the endpoint.

It is unavoidable that people will travel; they will connect to the internet in coffee shops and hotels.  It is not reasonable or realistic to expect them to trust their DNS resolver implicitly.  You cannot trust the resolver, unless you are your own resolver, or the resolver relays security information to you which you're able to validate for yourself.  It is unscalable for everybody to be their own resolver - breaking the distributed nature of DNS.  So really, the only scalable solution is to provide security information to the endpoints.  Unfortunately, it's also unrealistic to expect all the dumb linksys routers and comcast internet connections of the world to be upgraded in any timely manner to support relaying security information to endpoints.  Yes it's possible for smart endpoints to query DNS providers as dictated by DHCP, and become their own secure resolvers if and only if the dumb DNS server failed to relay security information - but this starts out at the point of being currently unscalable.

We'll probably get there someday, just obviously not right now.